Alban FERAUD - Standardization & regulatory affairs director

Lessons learnt from eIDAS : key success & limits

22/12/2017

What is eIDAS?→1

→2

→3

→4Key success

Limits

Main findings

Lessons learnt from eIDAS : key success & limits22/1

2/2

017

Public

2

What is eIDAS?

22/12/2017

eIDAS : European regulation to foster digital economy

Electronic identity and trust services

• Define a classification of electronic identityassessing their quality& trust

• Define a particular subset of trust service,with legal value, named Qualified trustservices (QTS)

• Solve (some) flaws of previous eSignaturedirective (1999/93/CE)

Foster internal market by bringing trust& provide building blocks for DigitalSingle Market

• Organize cross recognition of electronic Identity and trustservices

• Define trust classification for better visibility

• Define role, obligations and responsibility of each party

• Organise free circulation of devices used to perform Trustservice

• Organize trans national usage of electronic ID and trustservices

Key principles

• Technology neutral, so that it does not exclude any technology

• Legal effects are bound to metrics of quality, expressed in technology neutral terms

22/1

2/2

017

Public

4

Uniform framework for digital identity and trust services

eIDAS : European regulation to foster digital economy

2014 July 23rd –adoption of the regulation

2015 september 29th -Voluntary recognition of

identities

2016 july 1st – Trust services rules apply

2018 september 29th –Mandatory recognition of

notified identities

Trust services

Qualified vs non qualified• Electronic signature/eSeals

• Time stamping

• Website authentication

• Verification & validation of eSignature/eSeals(Q)

• Preservation of eSignatures, eSeals or certificates related to trust services (Q)

• Electronic registered delivery service (Q)

22/1

2/2

017

Public

5

Electronic identity

• National choice for the characteristics

• Recognition on a commonly agreed level (Low, Substantial, High)

• Recognition on a voluntary principle (opt-in principle) : notification

• BUT all the countries shall accept notified identities

Key Success

22/12/2017

Key success

Strong interest of the private sectors

• Many benefits of digital identities

• Main sectors : mobile operators, banking

Foster digital identity programs in member states

• The automatic recognition of notified identities foster the development of national program

• Multiplication of electronic identity scheme to increase penetration

• Development of market of identity provider (e.g. eResidency in EST)

Incentive to increase trust in digitalidentity & trust service

• Digital identity : higher trust & larger numberof acceptor

• Qualified Trust service : shift of the liabilitythat brings trust to citizen

• Digital Signature/seal with legal value :shall be combined with validation/preservationto give trust to the acceptor

• Virtuous circle to create trust in digital world

Interoperability of electronic identity ispossible starting from a fragmentedlandscape

• Shift from the eID means to the eIDscheme

• Interoperability through “nodes”interconnecting the infrastructure (backend)

22/1

2/2

017

Public

7

Digital identity in Europe on the move

• Development of digital identityscheme

• Take up of eIDAS=>developmentof “nodes”

• First notification on September2017. More to come in 2018

22/1

2/2

017

Confidential /

Restr

icte

d /

Public

Pre

senta

tion o

r part

title

8

Limits

22/12/2017

Limits

Strong demand from the privatesectors, but slow transformation

• Very narrow scope of application of theregulation. Does not cover private sectors.

• Embarking and engaging private sector aswell as the extent and the conditions relieson the country will

• Still a fragmented approach

Lack of attributes management

• The exchange of attributes would havebeen a key enabler to foster even moreusage

• Current experience shows it is difficult toleverage on the digital identityinfrastructure when specific attributes arerequired (eHealth,…)

Incomplete provision for privacy services

• Qualified electronic signature underpseudonym is allowed but…

• No word about the anonymity lifting

• Not covered by the current work on the“nodes”

Still a lot to do for electronic identity oflegal persons

• Important use case concerning a targetthat could easily be mobilized

• Not covered by the current work on the“nodes

22/1

2/2

017

Public

10

Main findings

22/12/2017

Which lessons?

Cross recognition of digital identityand trust services betweencountries is possible…

• Successful law

• Virtuous circles• notification mechanism

• Incentive to increase trust in digital identity &trust service

• For the citizen

• For the electronic signature/seal

• Successful model for close cooperation ofcountry wiling to develop internal marketand raise trust

..but take into account the limits

• From the very beginning think aboutidentity attributes exchanges to foster allusages

• Embark & engage from the very beginningthe private sectors in digital identityecosystem

• Include it in the provision of the law so thatit can contribute & benefit from the crossrecognition

• Treat with the same level of importancedigital identity for legal person

22/1

2/2

017

Publii

c

12

CONTACT

Alban FERAUD

Standardization & regulatory affairs director

Citizen Identity Business Unit

alban.feraud@idemia.com